/src/openssl/providers/implementations/ciphers/ciphercommon_block.c

Source (jump to first uncovered line)
/*
 * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <assert.h>
/* For SSL3_VERSION, TLS1_VERSION etc */
#include <openssl/prov_ssl.h>
#include <openssl/rand.h>
#include <openssl/proverr.h>
#include "internal/constant_time.h"
#include "internal/ssl3_cbc.h"
#include "ciphercommon_local.h"

/*
 * Fills a single block of buffered data from the input, and returns the amount
 * of data remaining in the input that is a multiple of the blocksize. The buffer
 * is only filled if it already has some data in it, isn't full already or we
 * don't have at least one block in the input.
 *
 * buf: a buffer of blocksize bytes
 * buflen: contains the amount of data already in buf on entry. Updated with the
 *         amount of data in buf at the end. On entry *buflen must always be
 *         less than the blocksize
 * blocksize: size of a block. Must be greater than 0 and a power of 2
 * in: pointer to a pointer containing the input data
 * inlen: amount of input data available
 *
 * On return buf is filled with as much data as possible up to a full block,
 * *buflen is updated containing the amount of data in buf. *in is updated to
 * the new location where input data should be read from, *inlen is updated with
 * the remaining amount of data in *in. Returns the largest value <= *inlen
 * which is a multiple of the blocksize.
 */
size_t ossl_cipher_fillblock(unsigned char *buf, size_t *buflen,
                             size_t blocksize,
                             const unsigned char **in, size_t *inlen)
{
    size_t blockmask = ~(blocksize - 1);
    size_t bufremain = blocksize - *buflen;

    assert(*buflen <= blocksize);
    assert(blocksize > 0 && (blocksize & (blocksize - 1)) == 0);

    if (*inlen < bufremain)
        bufremain = *inlen;
    memcpy(buf + *buflen, *in, bufremain);
    *in += bufremain;
    *inlen -= bufremain;
    *buflen += bufremain;

    return *inlen & blockmask;
}

/*
 * Fills the buffer with trailing data from an encryption/decryption that didn't
 * fit into a full block.
 */
int ossl_cipher_trailingdata(unsigned char *buf, size_t *buflen, size_t blocksize,
                             const unsigned char **in, size_t *inlen)
{
    if (*inlen == 0)
        return 1;

    if (*buflen + *inlen > blocksize) {
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    memcpy(buf + *buflen, *in, *inlen);
    *buflen += *inlen;
    *inlen = 0;

    return 1;
}

/* Pad the final block for encryption */
void ossl_cipher_padblock(unsigned char *buf, size_t *buflen, size_t blocksize)
{
    size_t i;
    unsigned char pad = (unsigned char)(blocksize - *buflen);

    for (i = *buflen; i < blocksize; i++)
        buf[i] = pad;
}

int ossl_cipher_unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize)
{
    size_t pad, i;
    size_t len = *buflen;

    if (len != blocksize) {
        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    /*
     * The following assumes that the ciphertext has been authenticated.
     * Otherwise it provides a padding oracle.
     */
    pad = buf[blocksize - 1];
    if (pad == 0 || pad > blocksize) {
        ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
        return 0;
    }
    for (i = 0; i < pad; i++) {
        if (buf[--len] != pad) {
            ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
            return 0;
        }
    }
    *buflen = len;
    return 1;
}

/*-
 * ossl_cipher_tlsunpadblock removes the CBC padding from the decrypted, TLS, CBC
 * record in constant time. Also removes the MAC from the record in constant
 * time.
 *
 * libctx: Our library context
 * tlsversion: The TLS version in use, e.g. SSL3_VERSION, TLS1_VERSION, etc
 * buf: The decrypted TLS record data
 * buflen: The length of the decrypted TLS record data. Updated with the new
 *         length after the padding is removed
 * block_size: the block size of the cipher used to encrypt the record.
 * mac: Location to store the pointer to the MAC
 * alloced: Whether the MAC is stored in a newly allocated buffer, or whether
 *          *mac points into *buf
 * macsize: the size of the MAC inside the record (or 0 if there isn't one)
 * aead: whether this is an aead cipher
 * returns:
 *   0: (in non-constant time) if the record is publicly invalid.
 *   1: (in constant time) Record is publicly valid. If padding is invalid then
 *      the mac is random
 */
int ossl_cipher_tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion,
                              unsigned char *buf, size_t *buflen,
                              size_t blocksize,
                              unsigned char **mac, int *alloced, size_t macsize,
                              int aead)
{
    int ret;

    switch (tlsversion) {
    case SSL3_VERSION:
        return ssl3_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
                                               alloced, blocksize, macsize,
                                               libctx);

    case TLS1_2_VERSION:
    case DTLS1_2_VERSION:
    case TLS1_1_VERSION:
    case DTLS1_VERSION:
    case DTLS1_BAD_VER:
        /* Remove the explicit IV */
        buf += blocksize;
        *buflen -= blocksize;
        /* Fall through */
    case TLS1_VERSION:
        ret = tls1_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
                                              alloced, blocksize, macsize,
                                              aead, libctx);
        return ret;

    default:
        return 0;
    }
}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <assert.h>
11		/* For SSL3_VERSION, TLS1_VERSION etc */
12		#include <openssl/prov_ssl.h>
13		#include <openssl/rand.h>
14		#include <openssl/proverr.h>
15		#include "internal/constant_time.h"
16		#include "internal/ssl3_cbc.h"
17		#include "ciphercommon_local.h"
18
19		/*
20		* Fills a single block of buffered data from the input, and returns the amount
21		* of data remaining in the input that is a multiple of the blocksize. The buffer
22		* is only filled if it already has some data in it, isn't full already or we
23		* don't have at least one block in the input.
24		*
25		* buf: a buffer of blocksize bytes
26		* buflen: contains the amount of data already in buf on entry. Updated with the
27		* amount of data in buf at the end. On entry *buflen must always be
28		* less than the blocksize
29		* blocksize: size of a block. Must be greater than 0 and a power of 2
30		* in: pointer to a pointer containing the input data
31		* inlen: amount of input data available
32		*
33		* On return buf is filled with as much data as possible up to a full block,
34		* buflen is updated containing the amount of data in buf. in is updated to
35		* the new location where input data should be read from, *inlen is updated with
36		* the remaining amount of data in in. Returns the largest value <= inlen
37		* which is a multiple of the blocksize.
38		*/
39		size_t ossl_cipher_fillblock(unsigned char buf, size_t buflen,
40		size_t blocksize,
41		const unsigned char *in, size_t inlen)
42	0	{
43	0	size_t blockmask = ~(blocksize - 1);
44	0	size_t bufremain = blocksize - *buflen;
45
46	0	assert(*buflen <= blocksize);
47	0	assert(blocksize > 0 && (blocksize & (blocksize - 1)) == 0);
48
49	0	if (*inlen < bufremain)
50	0	bufremain = *inlen;
51	0	memcpy(buf + buflen, in, bufremain);
52	0	*in += bufremain;
53	0	*inlen -= bufremain;
54	0	*buflen += bufremain;
55
56	0	return *inlen & blockmask;
57	0	}
58
59		/*
60		* Fills the buffer with trailing data from an encryption/decryption that didn't
61		* fit into a full block.
62		*/
63		int ossl_cipher_trailingdata(unsigned char buf, size_t buflen, size_t blocksize,
64		const unsigned char *in, size_t inlen)
65	0	{
66	0	if (*inlen == 0)
67	0	return 1;
68
69	0	if (buflen + inlen > blocksize) {
70	0	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
71	0	return 0;
72	0	}
73
74	0	memcpy(buf + buflen, in, *inlen);
75	0	buflen += inlen;
76	0	*inlen = 0;
77
78	0	return 1;
79	0	}
80
81		/* Pad the final block for encryption */
82		void ossl_cipher_padblock(unsigned char buf, size_t buflen, size_t blocksize)
83	0	{
84	0	size_t i;
85	0	unsigned char pad = (unsigned char)(blocksize - *buflen);
86
87	0	for (i = *buflen; i < blocksize; i++)
88	0	buf[i] = pad;
89	0	}
90
91		int ossl_cipher_unpadblock(unsigned char buf, size_t buflen, size_t blocksize)
92	0	{
93	0	size_t pad, i;
94	0	size_t len = *buflen;
95
96	0	if (len != blocksize) {
97	0	ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
98	0	return 0;
99	0	}
100
101		/*
102		* The following assumes that the ciphertext has been authenticated.
103		* Otherwise it provides a padding oracle.
104		*/
105	0	pad = buf[blocksize - 1];
106	0	if (pad == 0 \|\| pad > blocksize) {
107	0	ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
108	0	return 0;
109	0	}
110	0	for (i = 0; i < pad; i++) {
111	0	if (buf[--len] != pad) {
112	0	ERR_raise(ERR_LIB_PROV, PROV_R_BAD_DECRYPT);
113	0	return 0;
114	0	}
115	0	}
116	0	*buflen = len;
117	0	return 1;
118	0	}
119
120		/*-
121		* ossl_cipher_tlsunpadblock removes the CBC padding from the decrypted, TLS, CBC
122		* record in constant time. Also removes the MAC from the record in constant
123		* time.
124		*
125		* libctx: Our library context
126		* tlsversion: The TLS version in use, e.g. SSL3_VERSION, TLS1_VERSION, etc
127		* buf: The decrypted TLS record data
128		* buflen: The length of the decrypted TLS record data. Updated with the new
129		* length after the padding is removed
130		* block_size: the block size of the cipher used to encrypt the record.
131		* mac: Location to store the pointer to the MAC
132		* alloced: Whether the MAC is stored in a newly allocated buffer, or whether
133		* mac points into buf
134		* macsize: the size of the MAC inside the record (or 0 if there isn't one)
135		* aead: whether this is an aead cipher
136		* returns:
137		* 0: (in non-constant time) if the record is publicly invalid.
138		* 1: (in constant time) Record is publicly valid. If padding is invalid then
139		* the mac is random
140		*/
141		int ossl_cipher_tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion,
142		unsigned char buf, size_t buflen,
143		size_t blocksize,
144		unsigned char *mac, int alloced, size_t macsize,
145		int aead)
146	0	{
147	0	int ret;
148
149	0	switch (tlsversion) {
150	0	case SSL3_VERSION:
151	0	return ssl3_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
152	0	alloced, blocksize, macsize,
153	0	libctx);
154
155	0	case TLS1_2_VERSION:
156	0	case DTLS1_2_VERSION:
157	0	case TLS1_1_VERSION:
158	0	case DTLS1_VERSION:
159	0	case DTLS1_BAD_VER:
160		/* Remove the explicit IV */
161	0	buf += blocksize;
162	0	*buflen -= blocksize;
163		/* Fall through */
164	0	case TLS1_VERSION:
165	0	ret = tls1_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
166	0	alloced, blocksize, macsize,
167	0	aead, libctx);
168	0	return ret;
169
170	0	default:
171	0	return 0;
172	0	}
173	0	}

Coverage Report

Created: 2025-06-13 06:36